diff options
| author | David Lönnhager <david.l@mullvad.net> | 2024-10-18 12:59:23 +0200 |
|---|---|---|
| committer | David Lönnhager <david.l@mullvad.net> | 2024-10-18 12:59:23 +0200 |
| commit | 8fce366d223a02d684083df2e048cb3d04fb97fb (patch) | |
| tree | 3c61df2cabfe3dea63827547ff735120f12daf60 | |
| parent | a2db73cd2032a9212c933a2591e0a93e6cffc9fa (diff) | |
| parent | 97130bbd049122f564b923fb18ed6f46ef42344a (diff) | |
| download | mullvadvpn-8fce366d223a02d684083df2e048cb3d04fb97fb.tar.xz mullvadvpn-8fce366d223a02d684083df2e048cb3d04fb97fb.zip | |
Merge branch 'macos-ignore-redirect-for-loopback'
| -rw-r--r-- | talpid-core/src/dns/mod.rs | 13 | ||||
| -rw-r--r-- | talpid-core/src/firewall/macos.rs | 1 | ||||
| -rw-r--r-- | talpid-core/src/tunnel_state_machine/connected_state.rs | 14 |
3 files changed, 23 insertions, 5 deletions
diff --git a/talpid-core/src/dns/mod.rs b/talpid-core/src/dns/mod.rs index d6fd333449..f803842ef9 100644 --- a/talpid-core/src/dns/mod.rs +++ b/talpid-core/src/dns/mod.rs @@ -133,6 +133,19 @@ impl ResolvedDnsConfig { pub fn addresses(self) -> impl Iterator<Item = IpAddr> { self.non_tunnel_config.into_iter().chain(self.tunnel_config) } + + /// Return whether the config contains only (and at least one) loopback addresses, and zero + /// non-loopback addresses + pub fn is_loopback(&self) -> bool { + let (loopback_addrs, non_loopback_addrs) = self + .tunnel_config + .iter() + .chain(self.non_tunnel_config.iter()) + .copied() + .partition::<Vec<_>, _>(|ip| ip.is_loopback()); + + !loopback_addrs.is_empty() && non_loopback_addrs.is_empty() + } } /// Sets and monitors system DNS settings. Makes sure the desired DNS servers are being used. diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs index 73308d8dd9..116596b33e 100644 --- a/talpid-core/src/firewall/macos.rs +++ b/talpid-core/src/firewall/macos.rs @@ -207,6 +207,7 @@ impl Firewall { policy: &FirewallPolicy, ) -> Result<Vec<pfctl::RedirectRule>> { let redirect_rules = match policy { + FirewallPolicy::Connected { dns_config, .. } if dns_config.is_loopback() => vec![], FirewallPolicy::Blocked { dns_redirect_port, .. } diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs index d5eb5ac7b7..10d9ac9b72 100644 --- a/talpid-core/src/tunnel_state_machine/connected_state.rs +++ b/talpid-core/src/tunnel_state_machine/connected_state.rs @@ -165,11 +165,15 @@ impl ConnectedState { // On macOS, configure only the local DNS resolver #[cfg(target_os = "macos")] - shared_values.runtime.block_on( - shared_values - .filtering_resolver - .enable_forward(dns_config.addresses().collect()), - ); + if !dns_config.is_loopback() { + shared_values.runtime.block_on( + shared_values + .filtering_resolver + .enable_forward(dns_config.addresses().collect()), + ); + } else { + log::debug!("Not enabling DNS forwarding since loopback is used"); + } Ok(()) } |